Hacker Breached EAC Website, Sought to Sell Passwords

The U.S. Election Assistance Commission (EAC) is responding to reports that its website was hacked and login credentials stolen and offered for sale online. PCWorld has more:

A Russian-speaking hacker has been found selling stolen login credentials for a U.S. agency that tests and certifies voting equipment, according to a security firm.

The hacker was attempting to sell more than 100 allegedly compromised login credentials belonging to the U.S. Election Assistance Commission (EAC), the security firm Record Future said in a Thursday blog post. The company said it discovered online chatter about the breach on Dec. 1.

Some of these credentials included the highest administrative privileges. With such access, an intruder could steal sensitive information from the commission, which the hacker claimed to have done, Recorded Future said.

According to screenshots obtained by Recorded Future, the hacker had access to details about tests of election systems and software.

The EAC shut down the affected application and issued the following statement:

The U.S. Election Assistance Commission (EAC) has become aware of a potential intrusion into an EAC web-facing application. The EAC is currently working with Federal law enforcement agencies to investigate the potential breach and its effects.

The EAC does not administer elections. State and local jurisdictions run elections.

The EAC’s mission is to provide a clearinghouse of election administration best practices, administer a voluntary voting machine certification system, and survey election administration practices.

The EAC does not collect or store any personal information of voters. The EAC does not maintain voter databases. The EAC does not tabulate or store vote totals.

Upon detecting the intrusion, the EAC terminated access to the application and began working with federal law enforcement agencies to determine the source of this criminal activity. The FBI is currently conducting an ongoing criminal investigation. As such, questions concerning the investigation should be directed to the FBI.

Recorded Future, which initially identified the hack, says the hacker seems to be acting alone – though there is the possibility that other hackers could have exploited the vulnerability:

Recorded Future also said the hacker it identified doesn’t appear to be sponsored by any foreign government. The security firm’s blog post [link here – ed.] didn’t cite any evidence that the hack had resulted in vote-tampering in the election.

To pull off the breach, the hacker exploited an unpatched SQL injection vulnerability, a common attack point found in websites. The hacker may also have tried to sell details about this vulnerability to a broker working on behalf of a Middle Eastern government, Recorded Future said.

“It’s not uncommon for this type of vulnerability to lead to broader system level access, however, in this case the full extent of the EAC compromise remains unknown,” Recorded Future said.

The stolen login credentials could have also allowed a hacker to modify or plant malware on the commission’s web-facing application, the company said.

It’s unclear how long the vulnerability remained unpatched, so it’s possible other bad actors may have exploited it, Recorded Future said.

As the EAC and numerous media outlets have observed, the hack is not as serious as it could have been because the agency doesn’t actually administer elections, as is the case with central election authorities in other countries. Still, it’s a vivid reminder of the importance to election officials of keeping cybersecurity top of mind, given that any information could end up being of value to a hacker. It’s also eye-opening to realize that the hack went undetected until a non-governmental actor like Recorded Future picked up the trail.

The lesson here seems to be stay vigilant and make sure your software is up to date. I’m going to go do the latter now; you should all do the same – and stay tuned …

Published By

Partners

Contact Information

The copyright of these individual works published by the University of Minnesota Libraries Publishing remains with the original creator or editorial team. For uses beyond those covered by law, permission to reuse should be sought directly from the copyright owner listed in the About pages.